Full Report
Stack-based Buffer Overflow vulnerability (CVE-2026-11979) has been found in libxml2 software.
Analysis Summary
# Vulnerability: Stack-based Buffer Overflow in libxml2 xmlcatalog
## CVE Details
- **CVE ID:** CVE-2026-11979
- **CVSS Score:** Not explicitly rated in report (Calculated ~7.8 High based on vector)
- **CWE:** CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** xmlsoft libxml2
- **Versions:** All versions through 2.15.3
- **Configurations:** Specifically affects the `xmlcatalog` utility when running in `--shell` mode.
## Vulnerability Description
A stack-based buffer overflow exists in the `usershell()` function of the `xmlcatalog` tool. When the utility is executed in shell mode, it processes user-provided input and stores it in fixed-size stack buffers (specifically `command`, `arg`, and `argv`). The application fails to perform adequate bounds checking on the length of the input lines. If a user provides an excessively long input string, it overflows these internal buffers, leading to memory corruption within the stack frame.
## Exploitation
- **Status:** PoC available (referenced in coordination report); No confirmed reports of exploitation in the wild.
- **Complexity:** Medium (Requires interaction with the utility).
- **Attack Vector:** Local (Requires the ability to provide input to the `xmlcatalog` shell).
## Impact
- **Confidentiality:** High (Potential for memory disclosure or code execution).
- **Integrity:** High (Potential for arbitrary code execution).
- **Availability:** High (Results in process crash/denial of service).
## Remediation
### Patches
- The issue has been addressed in the libxml2 source code via commit `c2e233fc`. Users are encouraged to update to versions incorporating this patch or newer releases (v2.12.x+ / v2.13.0+ depending on the branch).
### Workarounds
- Avoid using `xmlcatalog` in `--shell` mode with untrusted input.
- Limit execution permissions of the `xmlcatalog` binary to authorized users only.
## Detection
- **Indicators of Compromise:** Unusual crashes or segmentation faults of the `xmlcatalog` process.
- **Detection Methods:** Static analysis of the `xmlcatalog.c` source code or dynamic analysis using memory sanitizers (e.g., ASAN) while providing long input strings to the shell interface.
## References
- hxxps[://]cert[.]pl/en/posts/2026/06/vulnerability-in-libxml2/
- hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-11979
- hxxps[://]cwe[.]mitre[.]org/data/definitions/121[.]html